Invoke-RestMethod error when using New-DCConditionalAccessPolicyDesignReport

DanielChronlund / DCToolbox

Tools for Microsoft cloud fans

309 stars 52 forks source link

Invoke-RestMethod error when using New-DCConditionalAccessPolicyDesignReport #5

Closed dbird03 closed 3 years ago

dbird03 commented 3 years ago

I'm getting the error below when running New-DCConditionalAccessPolicyDesignReport. I used Microsoft Graph Explorer to submit a GET request for https://graph.microsoft.com/beta/conditionalAccess/policies, and I noticed a few of our policies do have a location in excludeLocations with the id "00000000-0000-0000-0000-000000000000".

"excludeLocations": [
    "00000000-0000-0000-0000-000000000000"
]

[DBG]: PS C:\>
Invoke-RestMethod : {
  "error": {
    "code": "ResourceNotFound",
    "message": "NamedLocation with id 00000000-0000-0000-0000-000000000000 does not exist in the directory.",
    "innerError": {
      "date": "2020-11-25T14:18:08",
      "request-id": "5eafd8be-6507-404c-9c9f-81b5411a3a8d",
      "client-request-id": "5eafd8be-6507-404c-9c9f-81b5411a3a8d"
    }
  }
}
At C:\Program Files\WindowsPowerShell\Modules\DCToolbox\1.0.12\DCToolbox.psm1:685 char:29
+ ... ryRequest = Invoke-RestMethod -Headers $HeaderParams -Uri $GraphUri - ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

aaronparker commented 3 years ago

I think the GUID 00000000-0000-0000-0000-000000000000 is Any location. Using Graph Explorer with https://graph.microsoft.com/beta/identity/conditionalAccess/namedLocations it does not return any locations with that GUID but does return the locations I've created.

dbird03 commented 3 years ago

We don't use "Any location" for our location exclusions, but we do use "MFA Trusted IPs", so I'm guessing that's what 00000000-0000-0000-0000-000000000000 is in my error?

aaronparker commented 3 years ago

No - in the CA policy -> Conditions / Locations, you'll have something set for either Include or Exclude Any location with MFA Trusted IPs selected on the alternate. For example, you enforce MFA by including Any location and exclude MFA Trusted IPs, or perhaps include MFA Trusted IPs and have not touched the Exclude property. The result either way is that the CA policy has that 00000000-0000-0000-0000-000000000000 property in it.

New-DCConditionalAccessPolicyDesignReport will have to account for NamedLocation with the id 00000000-0000-0000-0000-000000000000 and skip it when generating the report.

The only way I could generate the report was to delete any CA policy that included Locations in Conditions.

DanielChronlund commented 3 years ago

00000000-0000-0000-0000-000000000000 is 'MFA Trusted IPs'.

I've updated New-DCConditionalAccessPolicyDesignReport to support this. However, my recommendation is to move away from the legacy MFA service and the exclusions there and use Named Locations in Azure AD instead.

Thank you for your help with this one!

aaronparker commented 3 years ago

Nice one. Documentation here is the recommended alternative to MFA Trusted IPs: Optimize reauthentication prompts and understand session lifetime for Azure AD Multi-Factor Authentication

dbird03 commented 3 years ago

@DanielChronlund That was quick! I'll try the updated version when I'm back in the office next week.

I've pointed out many recommendations that should be made to this tenant's CA policies, and discontinuing use of the legacy MFA service is one of them. 🙂